If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Well, encrypting, packaging ... whatever, most of what Viper is doing is getting something across that is probably going through a default desktop version of NAV. NAV can be tweaked to look deeper into things, like Zip files and such.

Once that file gets decrypted or unpackaged, NAV, McAfee or any other will nail it. Looking that deep into an encrypted file will take time. On an enterprise level, we can't afford to take that kind of time. We just delete or quarrantine files that cannot be scanned or are encrypted.

Makes some folks a bit testy when something they think is fine gets nailed in the quarrantine. But, my network doesn't get nailed.

As far as AV software goes, I think they're both about equal. THe security of a system depends mostly on the operator. Keep up with security updates, for both your AV and for your OS, and of course make sure to keep up a good firewall. Many firewalls (ex: BlackIce) can detect the launch of a trojan, even if it slipped past your AV. As long as you keep abreast of new developments and updates, you should be fine.

I am glad of the comments from avdven..........he mentions that you did not decrypt the file.......this was one of the points that I was trying to make when I asked if the virus "would work" after you had messed with it.

Also rapier57 made a nice point:

"Once that file gets decrypted or unpackaged, NAV, McAfee or any other will nail it. Looking that deep into an encrypted file will take time. On an enterprise level, we can't afford to take that kind of time. We just delete or quarrantine files that cannot be scanned or are encrypted."

once again along the same lines............but bringing in the concept of how long it wouldd take...I tested something a few days ago in response to a post in this forum.......................it ran for 2 hours 50 and produced 13 false positives against my AV system that ran for 24 minutes and found nothing. I then ran three (3!!!!) offline scans that agreed with my resident AV...they took a little while, but you don't count that BTW I did not let the test one delete or quarantine!!!

This gets back to my original point that they have different architectures.

I am now going to ask you the question before your Dad does.....(sorry, before I tell him to ask you............................ only jokin).................how many viruses have you been hit with in the last 12 months, and what were their names?

That is a fair question...so let us have the facts.....if the answer is Zero...then you do not have much to go for even with plea bargaining?....if you have a positive value (with dates) I could probably make some sort of a case for you?

Sorry that I cannot help very much without more info,

Cheers

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Originally posted here by avdven
The second it is decrypted, NAV, or other main-stream antivirus program, will catch it, and either clean it or quarantine it. The reason NAV and other antiviral programs don't catch encrypted files is because they are harmless until they are decrypted.

Well if tElock is used, the chances of you reversing it successfully without damaging the file are very slim. The way many new viruses are working, not just trojans, is kill the av first, then execute malicious code. I've seen some interesting source (I can't remember where) that would generate a new av kill algortihm, using the same commands, just changing a few things as not to be detected. It would kill the av, infect, then generate a new av kill routine and do whatever it did to propagate. I don't know the exact specifics of kav, but I do know it is quite a bit more difficult to get something malicious past kav. I will say that no av is 100% effective, some just do a lot better of a job than others. I know all this info because a "friend" of mine is into trojans, and he always sends me his servers to scan it with norton, and 99% of the time, they are not picked up.

Originally posted here by nihil
I am now going to ask you the question before your Dad does.....(sorry, before I tell him to ask you............................ only jokin).................how many viruses have you been hit with in the last 12 months, and what were their names?

That is a fair question...so let us have the facts.....if the answer is Zero...then you do not have much to go for even with plea bargaining?....if you have a positive value (with dates) I could probably make some sort of a case for you?

Sorry that I cannot help very much without more info,

Well just FYI... :P If it were not for the kav online scan I would have recieved probably...4 or 5 trojans plus some other wildcards. Not that they can do much behind my firewall anyway... A few of the names i can recall...never heard of most of em
Backdoor.Lithium.B
Backdoor.Sdbot
W32.Klez.h
Nuke.LoneWolf.870 (got the names from virus db searches, dont know if it was the exact one I encountered)

And surprisingly the files came from trusted sources, who had become infcted and not aware of it.

And on another note, I did a test just now, I made a trojan server, telock'd it and ran it with my norton on. It killed my norton before it was picked up...

Viper: While you can try to baffle your Dad with all this science there are two rules that will come into play in the end.

Rule 1: He who pays the bill is always right.
Rule 2. If he who pays the bills is wrong, Rule 1 applies.

So.... If your dad is going to pay for four copies of an av system he's probably going to go for the one that takes a smaller bite out of his wallet and he will be right.

OTOH, you clearly have some knowledge.... Why not offer to set a system up as a "clearing house" for all incoming stuff so that he only has to pay for one copy.... Then you'll have a better chance of getting what you want.....

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

I gave you my word, so I will have a look at what you told me and get back with my case. In the meantime, PLEASE have a look at those second level defences that I suggested. All AVs are vulnerable to being attacked/switched off........Kaspersky as much as Norton.

You might look at where Norton kicks in on your startup list, and move it to the top? then do a re-test. Just like the old Wild West...........If I draw my Colt .45 first................you are dead?

BTW I do NOT like Norton, but for completely different reasons Although I have no reason to believe that Kaspersky is any better at the AV job than Norton.

I believe that you may be falling into the trap of "friendly questions"? By this I mean that you may be providing questions that KAV is good at, but may not be relevant, because other products will go about the same job in a different way........a sandbox, for example?

A couple of years ago I loaded a test machine with about 6 different AVs then fired some viruses at them to see which one got there first (believe it or not, some people actually race snails) A lot seemed to depend on where it loaded itself in the hierarchy, and how it actually worked.........I was using old viruses that I had captured...so all pattern files should have had them included; I was just looking at how the AVs worked.

I had almost solved the problem of perpetual motion, as one AV would spot a virus, and put it in its quarantine file.........then the next one would spot it and the one in the first AVs quarantine file and so on..........like 1,2,4,8,16,32,64.............etc

Cheers

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Well I simply don't like the way norton is set up, and that doesn't contribute to me wanting to upgrade it. And as for the idea of one comp having a "good" av...that would be quite inconvenient. I think I'll just stick with my pirated kaspersky unless my dad wants to cough up a few $100.